Skip to main content

Stronger Security and Constructions of Multi-designated Verifier Signatures

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12551)


Off-the-Record (OTR) messaging is a two-party message authentication protocol that also provides plausible deniability: there is no record that can later convince a third party what messages were actually sent. The challenge in group OTR, is to enable the sender to sign his messages so that group members can verify who sent a message (signatures should be unforgeable, even by group members). Also, we want the off-the-record property: even if some verifiers are corrupt and collude, they should not be able to prove the authenticity of a message to any outsider. Finally, we need consistency, meaning that if any group member accepts a signature, then all of them do.

To achieve these properties it is natural to consider Multi-Designated Verifier Signatures (MDVS). However, existing literature defines and builds only limited notions of MDVS, where (a) the off-the-record property (source hiding) only holds when all verifiers could conceivably collude, and (b) the consistency property is not considered.

The contributions of this paper are two-fold: stronger definitions for MDVS, and new constructions meeting those definitions. We strengthen source-hiding to support any subset of corrupt verifiers, and give the first formal definition of consistency. We build three new MDVS: one from generic standard primitives (PRF, key agreement, NIZK), one with concrete efficiency and one from functional encryption.

This research was supported by: the Concordium Blockhain Research Center, Aarhus University, Denmark; the Carlsberg Foundation under the Semper Ardens Research Project CF18-112 (BCM); the European Research Council (ERC) under the European Unions’s Horizon 2020 research and innovation programme under grant agreement No 669255 (MPCPRO) and No 803096 (SPEC); the Danish Independent Research Council under Grant-ID DFF-6108-00169 (FoCC); the NSF MACS project.

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-64378-2_9
  • Chapter length: 32 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   84.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-64378-2
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   109.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.


  1. 1.

    Ring signatures [RST01] can be similarly used in this context; \(\mathsf {S}\)ophia could use a ring signature scheme to sign in such a way that anyone could verify that the signature came from someone in her organization, but not that it came from her, specifically. However, MDVS has an advantage here, since it is possible that \(\mathcal {A}\)aron only doubts the trustworthiness of one of his colleagues; if \(\mathsf {S}\)ophia uses a ring signature, that signature would convince \(\mathcal {A}\)aron that she was the signer, but if she uses an MDVS signature, \(\mathcal {A}\)aron wouldn’t know whether she was the true signer, or whether the signature was just a simulation (even if \(\mathsf {S}\)ophia was his only suspect).

    In the context of a group off-the-record conversation, MDVS signatures are clearly the right tool, as members of the group should learn the identity of the sender of each message.

  2. 2.

    One previous work [Tia12] allows a single verifier to simulate a signature. However, in this construction a simulated signature created by a malicious verifier will look like a real signature for all other designated verifers, violating unforgeability.

  3. 3.

    Note that privacy of identities is related to—but very different from—off-the-record. Neither of these definitions is strictly stronger than the other. Privacy of identities is weaker in that it assumes that none of the \(\mathsf {R}\)eporters help in identifying \(\mathsf {S}\)ophia as the sender, while off-the-record makes no such assumptions. However, privacy of identities is stronger in that it requires that \(\sigma \) alone reveal nothing about \(\mathsf {S}\)ophia’s identity to anyone other than the \(\mathsf {R}\)eporters; off-the-record allows such leakage, as long as it is not provable.

  4. 4.

    This trusted authority can also be distributed; perhaps the master secret is secret-shared across several different institutions, who must collaborate in order to produce a secret verification key.

  5. 5.

    If only one designated verifier can simulate a signature, it must be distinguishable from a real signature by other verifiers (by the strong unforgeability property). Two colluding verifiers would be able to prove to an outsider that a given signature is not a simulation by showing that it verifiers for both of them. So, any-subset simulation gives strictly stronger off-the-record guarantees than one-verifier simulation.

  6. 6.

    Note that when all designated verifiers are needed for the simulation, then a designated verifier will be able to distinguish a simulation from a real signature based on whether he participated in the simulation of the signature. However, if this is the only way he can distinguish, then the signature scheme has weak unforgeability, since the simulated signature is still a valid forgery.

  7. 7.

    Note that our construction from standard primitives does make use of MAC schemes; however, it does so in a complex, non-black-box way.

  8. 8.

    Simply proving that all of the signatures verify would violate the off-the-record property; instead, the signer proves that either all of the signatures are real, or they are all simulated, as described in Sect. 3.

  9. 9.

    The group G will be used in the construction of the PSDVS scheme.

  10. 10.

    This set-up need to keep the factorization of n secret. Hence, to avoid relying on a trusted party, the parties can use an interactive protocol to generate n securely, there are several quite efficient examples in the literature.

  11. 11.

    \(k\) can be computed using the standard “discrete log” algorithm from Paillier decryption.

  12. 12.

    The original CDRA assumption does not have the restriction to Jacobi symbol 1, but since the Jacobi symbol is easy to compute without the factors of n, the two versions are equivalent.

  13. 13.

    We assume that the mapping \(i\rightarrow ({ssk}_i,{spk}_i)\) is unique in the system. This can be achieved without loss of generality by pseudorandomly generating the randomness required in the key generation process from the identity i and the master secret key.

  14. 14.

    We assume that the mapping \(j\rightarrow ({vsk}_j,{vpk}_j)\) is unique in the system. This can be achieved wlog by pseudorandomly generating the randomness required in the key generation process from the identity j and the master secret key.


  1. Ananth, P., Vaikuntanathan, V.: Optimal bounded-collusion secure functional encryption. In: Hofheinz, D., Rosen, A. (eds.) TCC 2019. LNCS, vol. 11891, pp. 174–198. Springer, Cham (2019).

    CrossRef  Google Scholar 

  2. Borisov, N., Goldberg, I., Brewer, E.: Off-the-record communication, or, why not to use PGP. In: Proceedings of the 2004 ACM Workshop on Privacy in the Electronic Society, pp. 77–84. ACM (2004)

    Google Scholar 

  3. Badrinarayanan, S., Goyal, V., Jain, A., Sahai, A.: Verifiable functional encryption. In: Cheon, J.H., Takagi, T. (eds.) ASIACRYPT 2016. LNCS, vol. 10032, pp. 557–587. Springer, Heidelberg (2016).

    CrossRef  Google Scholar 

  4. Chaum, D.: Private signature and proof systems. US Patent 5,493,614 (1996)

    Google Scholar 

  5. Chang, T.Y.: An ID-based multi-signer universal designated multi-verifier signature scheme. Inf. Comput. 209(7), 1007–1015 (2011)

    MathSciNet  CrossRef  Google Scholar 

  6. Chow, S.S.M.: Identity-based strong multi-designated verifiers signatures. In: Atzeni, A.S., Lioy, A. (eds.) EuroPKI 2006. LNCS, vol. 4043, pp. 257–259. Springer, Heidelberg (2006).

    CrossRef  Google Scholar 

  7. Chow, S.S.M.: Multi-designated verifiers signatures revisited. IJ Netw. Secur. 7(3), 348–357 (2008)

    Google Scholar 

  8. Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  9. Jakobsson, M., Sako, K., Impagliazzo, R.: Designated verifier proofs and their applications. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 143–154. Springer, Heidelberg (1996).

    CrossRef  Google Scholar 

  10. Li, Y., Susilo, W., Mu, Y., Pei, D.: Designated verifier signature: definition, framework and new constructions. In: Indulska, J., Ma, J., Yang, L.T., Ungerer, T., Cao, J. (eds.) UIC 2007. LNCS, vol. 4611, pp. 1191–1200. Springer, Heidelberg (2007).

    CrossRef  Google Scholar 

  11. Laguillaumie, F., Vergnaud, D.: Multi-designated verifiers signatures. In: Lopez, J., Qing, S., Okamoto, E. (eds.) ICICS 2004. LNCS, vol. 3269, pp. 495–507. Springer, Heidelberg (2004).

    CrossRef  Google Scholar 

  12. Laguillaumie, F., Vergnaud, D.: Multi-designated verifiers signatures: anonymity without encryption. Inf. Process. Lett. 102(2–3), 127–132 (2007)

    MathSciNet  CrossRef  Google Scholar 

  13. Marlinspike, M.: Advanced cryptographic ratcheting (2013)

    Google Scholar 

  14. Ming, Y., Wang, Y.: Universal designated multi verifier signature scheme without random oracles. Wuhan Univ. J. Nat. Sci. 13(6), 685–691 (2008).

    MathSciNet  CrossRef  Google Scholar 

  15. Ng, C.Y., Susilo, W., Mu, Y.: Universal designated multi verifier signature schemes. In: 11th International Conference on Parallel and Distributed Systems, ICPADS 2005, Fuduoka, Japan, 20–22 July 2005, pp. 305–309 (2005)

    Google Scholar 

  16. Rivest, R.L., Shamir, A., Tauman, Y.: How to leak a secret. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 552–565. Springer, Heidelberg (2001).

    CrossRef  Google Scholar 

  17. Seo, S.-H., Hwang, J.Y., Choi, K.Y., Lee, D.H.: Identity-based universal designated multi-verifiers signature schemes. Comput. Stand. Interfaces 30(5), 288–295 (2008)

    CrossRef  Google Scholar 

  18. Shailaja, G., Kumar, K.P., Saxena, A.: Universal designated multi verifier signature without random oracles. In: 9th International Conference in Information Technology, ICIT 2006, Bhubaneswar, Orissa, India, 18–21 December 2006, pp. 168–171 (2006)

    Google Scholar 

  19. Tian, H.: A new strong multiple designated verifiers signature. IJGUC 3(1), 1–11 (2012)

    CrossRef  Google Scholar 

  20. Vergnaud, D.: New extensions of pairing-based signatures into universal designated verifier signatures. In: Bugliesi, M., Preneel, B., Sassone, V., Wegener, I. (eds.) ICALP 2006. LNCS, vol. 4052, pp. 58–69. Springer, Heidelberg (2006).

    CrossRef  Google Scholar 

  21. Zhang, Y., Au, M.H., Yang, G., Susilo, W.: (Strong) multi-designated verifiers signatures secure against rogue key attack. In: Xu, L., Bertino, E., Mu, Y. (eds.) NSS 2012. LNCS, vol. 7645, pp. 334–347. Springer, Heidelberg (2012).

    CrossRef  Google Scholar 

  22. Zheng, Y.: Digital signcryption or how to achieve cost(signature & encryption) \(\ll \) cost(signature) + cost(encryption). In: Kaliski, B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 165–179. Springer, Heidelberg (1997).

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Anca Nitulescu .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2020 International Association for Cryptologic Research

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Damgård, I., Haagh, H., Mercer, R., Nitulescu, A., Orlandi, C., Yakoubov, S. (2020). Stronger Security and Constructions of Multi-designated Verifier Signatures. In: Pass, R., Pietrzak, K. (eds) Theory of Cryptography. TCC 2020. Lecture Notes in Computer Science(), vol 12551. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64377-5

  • Online ISBN: 978-3-030-64378-2

  • eBook Packages: Computer ScienceComputer Science (R0)